CVE-2025-37929 Overview
CVE-2025-37929 is a vulnerability in the Linux kernel affecting ARM64 architecture systems where missing sentinel entries in Spectre-BHB MIDR arrays cause the is_midr_in_range_list() function to walk off the end of the array, leading to a kernel panic during boot. This flaw was introduced when additional CPUs were added to the Spectre-BHB workaround lists without including the required sentinel (terminating) entries in the new arrays.
Critical Impact
Systems running affected Linux kernel versions on ARM64 architecture can experience kernel panic and system crash during boot when UBSAN is enabled, resulting in complete denial of service.
Affected Products
- Linux Kernel versions 5.15.x through 5.15.181
- Linux Kernel versions 6.15-rc1 through 6.15-rc4
- Debian Linux 11.0
Discovery Timeline
- May 20, 2025 - CVE-2025-37929 published to NVD
- November 10, 2025 - Last updated in NVD database
Technical Details for CVE-2025-37929
Vulnerability Analysis
This vulnerability stems from a missing array terminator (sentinel entry) in the Spectre-BHB MIDR arrays within the ARM64 errata handling code. When commit a5951389e58d added newer ARM cores to the spectre_bhb_loop_affected() lists, it introduced new arrays for CPU designs requiring different 'k' values for the Spectre-BHB workaround. However, these new arrays were missing the required sentinel entries that signal the end of the list.
The is_midr_in_range_list() function iterates through these arrays looking for a matching CPU MIDR value. Without a sentinel entry to mark the end of the array, when no match is found, the function continues reading past the allocated memory boundary. With UBSAN (Undefined Behavior Sanitizer) enabled, this out-of-bounds access triggers a fatal BRK exception, causing the kernel to panic during the early boot process.
Root Cause
The root cause is a programming error in the kernel's ARM64 errata handling code. The new MIDR arrays added for Spectre-BHB mitigation lacked the required terminating sentinel entries. In C arrays used as lists, a sentinel value (typically a zeroed or specially-marked entry) signals the end of valid data. The omission of these sentinels causes buffer over-read conditions when the iteration function attempts to find a non-existent CPU match.
Attack Vector
This vulnerability requires local access and is primarily a reliability/availability issue rather than a security exploitation vector. The vulnerability manifests during kernel boot initialization when:
- The system runs on ARM64 architecture with affected kernel versions
- UBSAN is enabled in the kernel configuration
- The CPU does not match any entry in the affected MIDR arrays
- The spectre_bhb_loop_affected() function is called during CPU capability detection
The kernel crash trace shows the fault occurring in spectre_bhb_loop_affected() called from update_cpu_capabilities() during the init_cpu_features() boot sequence, resulting in an unrecoverable kernel panic.
Detection Methods for CVE-2025-37929
Indicators of Compromise
- Kernel panic messages during boot containing spectre_bhb_loop_affected in the call trace
- System crash logs showing Internal error: aarch64 BRK: 00000000f2000001 error codes
- Boot failures on ARM64 systems after kernel updates with UBSAN enabled
- Crash traces referencing is_spectre_bhb_affected and update_cpu_capabilities functions
Detection Strategies
- Monitor system boot logs for kernel panic messages related to Spectre-BHB functions
- Check kernel version against affected releases (5.15.x through 5.15.181, 6.15-rc1 through 6.15-rc4)
- Review dmesg output on ARM64 systems for BRK exception errors during boot
- Audit kernel configuration for UBSAN enablement combined with affected kernel versions
Monitoring Recommendations
- Implement automated boot monitoring for ARM64 infrastructure to detect early kernel panics
- Configure remote syslog collection to capture boot-time failures before system becomes unresponsive
- Deploy kernel version tracking across ARM64 fleet to identify systems requiring patching
- Enable serial console logging for ARM64 systems to capture pre-boot crash information
How to Mitigate CVE-2025-37929
Immediate Actions Required
- Update to a patched Linux kernel version immediately on all affected ARM64 systems
- Review and apply kernel patches from the official kernel git repository
- Temporarily disable UBSAN in kernel configuration if immediate patching is not possible
- Prioritize patching for production ARM64 systems in critical infrastructure
Patch Information
Multiple patches have been released to address this vulnerability by adding the missing sentinel entries to the Spectre-BHB MIDR arrays:
- Kernel Git Commit 090c871
- Kernel Git Commit 33357920
- Kernel Git Commit 3821cae9
- Kernel Git Commit 446289b8
- Kernel Git Commit 6266b350
- Kernel Git Commit e68da90a
- Kernel Git Commit fee4d171
For Debian Linux 11.0 users, refer to the Debian LTS Announcement for distribution-specific patch information.
Workarounds
- Disable UBSAN in kernel configuration (CONFIG_UBSAN=n) as a temporary workaround until patching is complete
- Use older stable kernel versions (pre-a5951389e58d commit) that do not contain the problematic arrays
- For development environments, consider switching to x86_64 architecture temporarily while awaiting patch deployment
- Schedule maintenance windows for ARM64 systems to apply kernel updates with minimal service disruption
# Check current kernel version
uname -r
# Verify if UBSAN is enabled in running kernel
zcat /proc/config.gz | grep CONFIG_UBSAN
# Apply kernel update on Debian-based systems
sudo apt update && sudo apt upgrade linux-image-arm64
# Reboot to apply new kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
